Browse Source

deployment: added server config

main
root 5 months ago
parent
commit
4402cebab6
  1. 21
      deployment/LICENSE.md
  2. 71
      deployment/README.md
  3. 15
      deployment/hosts/beherbergung-lifeline/configuration.nix
  4. 15
      deployment/modules/default.nix
  5. 48
      deployment/modules/hetzner.nix
  6. 16
      deployment/modules/nix.nix
  7. 107
      flake.lock
  8. 64
      flake.nix

21
deployment/LICENSE.md

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2022 TiMMi Transport
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

71
deployment/README.md

@ -0,0 +1,71 @@
This repository contains the completely declarative+reproducible configurations to deploy a server hosting the „beherbergung“ service and basic infrastructure for reliabiliy+maintainability.
Most of the service definitions should re reusable with minimal adaptions for completely different projects.
* CI/CD
* buildcache
* [monitoring + alerting](./modules/monitoring/README.md)
* backup
* dns
* reverse proxy + acme
Secrets are encrypted with sops.
## Deploy
Once the servers are installed following [the bootstrap instructions](#bootstrap), the roll out of configuration changes on all servers is trivial.
As a developer with an [authorized key](./modules/hetzner.nix), call:
```shell
nix run
```
## Update
To update all flakes and redeploy, call:
```shell
nix flake update
nix run
```
## Bootstrap
To setup a new server:
1. boot a nixos image
2. mount the future / to /mnt
3. copy this repo to /mnt/etc/nixos
4. check flake.nix and hosts/$HOSTNAME/\*configuration.nix
- set a correct static ipv6
5. nixos-install:
```shell
nix-shell -p nixUnstable --command "nixos-install --no-root-passwd --flake .#${HOSTNAME}"
```
6. setup sops:
6.1. add the new hosts key to sops config
```shell
nix shell /etc/nixos#ssh-to-pgp --command ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key
edit .sops.yaml sops/keys/hosts/$HOSTNAME.asc
```
6.2. add pubkey to the developers keyring
```shell
gpg --import sops/keys/hosts/$HOSTNAME.asc
```
6.3. edit secrets + use them
```shell
nix shell .#sops --command sops sops/secrets/*
edit modules/sops.nix
```
## Ensure, outgoing SMTP is permitted by your hoster:
```shell
openssl s_client -connect smtp.1und1.de:587 -starttls smtp
openssl s_client -connect smtp.1und1.de:465
```

15
deployment/hosts/beherbergung-lifeline/configuration.nix

@ -0,0 +1,15 @@
{ config, pkgs, ... }:
{
imports = [
../../modules/hetzner.nix
];
system.stateVersion = "21.11";
networking = {
hostName = "beherbergung-lifeline";
interfaces.ens3 = {
ipv6.addresses = [ { address = "2a01:4f8:c0c:cf13::1"; prefixLength = 64; } ];
};
};
}

15
deployment/modules/default.nix

@ -0,0 +1,15 @@
{ config, pkgs, ... }:
{
time.timeZone = "Europe/Berlin";
environment.systemPackages = with pkgs; [
vim tmux
wget curl
htop atop iotop iftop
file bc jq
git
bind.dnsutils
];
environment.variables = { EDITOR = "vim"; };
}

48
deployment/modules/hetzner.nix

@ -0,0 +1,48 @@
## a common hardware-configuration.nix for our hetzner servers
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
swapDevices = [ ];
boot.loader.grub = {
enable = true;
version = 2;
devices = [ "/dev/sda" ];
};
networking = {
useDHCP = false;
interfaces.ens3 = {
useDHCP = true;
#ipv6.addresses ## should be set for each host
};
defaultGateway6 = {
address = "fe80::1";
interface = "ens3";
};
};
users.users.root = {
openssh.authorizedKeys.keys = [
## J03
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDW+YfsFtRz1h/0ubcKU+LyGfxH505yUkbWa5VtRFNWF2fjTAYGj6o5M4dt+fv1h370HXvvOBtt8sIlWQgMsD10+9mvjdXWhTcpnYPx4yWuyEERE1/1BhItrog6XJKAedbCDpQQ+POoewouiHWVAUfFByPj5RXuE8zKUeIEkGev/QKrKTLnTcS8zFs/yrokf1qYYR571B3U8IPDjpV/Y1GieG3MSNaefIMCwAAup1gPkUA0XZ4A1L7NdEiUEHlceKVu9eYiWUM+wDRunBXnLHubeGyP8KmBA7PNKgml3WWRNTZjqNQk4u9Bl+Qea5eCkD8KI257EqgXYXy0QBWNyF8X j03@l302"
];
};
services.openssh = {
enable = true;
permitRootLogin = "prohibit-password";
};
}

16
deployment/modules/nix.nix

@ -0,0 +1,16 @@
{ config, pkgs, nixpkgs, ... }:
{
boot.cleanTmpDir = true;
nix.package = pkgs.nixUnstable;
nix.extraOptions = "experimental-features = nix-command flakes";
#nix.daemonIONiceLevel = 7;
#nix.daemonNiceLevel = 19;
nix.autoOptimiseStore = true;
nix.gc = {
automatic = true;
dates = "weekly";
};
}

107
flake.lock

@ -0,0 +1,107 @@
{
"nodes": {
"dns": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1635273082,
"narHash": "sha256-EHiDP2jEa7Ai5ZwIf5uld9RVFcV77+2SUxjQXwJsJa0=",
"owner": "kirelagin",
"repo": "dns.nix",
"rev": "c7b9645da9c0ddce4f9de4ef27ec01bb8108039a",
"type": "github"
},
"original": {
"owner": "kirelagin",
"repo": "dns.nix",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1614513358,
"narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5466c5bbece17adaab2d82fae80b46e807611bf3",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nix-deploy-git": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1637044180,
"narHash": "sha256-5r3pOGql5wr0PtuOb0rJ0EeorcT3A43tWYRRvnZB0jk=",
"owner": "johannesloetzsch",
"repo": "nix-deploy-git",
"rev": "c1c0b1def56009e8647bfe57c555c6bea0fb2b1a",
"type": "github"
},
"original": {
"owner": "johannesloetzsch",
"ref": "main",
"repo": "nix-deploy-git",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1646588256,
"narHash": "sha256-ZHljmNlt19nSm0Mz8fx6QEhddKUkU4hhwFmfNmGn+EY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2ebb6c1e5ae402ba35cca5eec58385e5f1adea04",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-21.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"dns": "dns",
"nix-deploy-git": "nix-deploy-git",
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1646696263,
"narHash": "sha256-a+6WgDoU2fd4bbSFMqK67i/ZTPzia29otmyeODa1uDU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "4e21493d34f7485a568e05b9cbefa11fe047ecd3",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

64
flake.nix

@ -0,0 +1,64 @@
{
description = "https://github.com/internet4refugees/beherbergung.git development environment + package + deployment";
inputs = {
#nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-deploy-git = {
url = "github:johannesloetzsch/nix-deploy-git/main";
inputs.nixpkgs.follows = "nixpkgs";
};
dns = {
url = "github:kirelagin/dns.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, sops-nix, nix-deploy-git, dns }:
let
system = "x86_64-linux";
pkgs = import nixpkgs { inherit system; };
inherit (pkgs) lib;
commonAttrs = {
system = "x86_64-linux";
extraArgs = { flake = self; inherit system dns; };
};
commonModules = [
./deployment/modules/nix.nix
./deployment/modules/default.nix
#sops-nix.nixosModules.sops
#./deployment/modules/sops.nix
#./deployment/modules/dns.nix
#./deployment/modules/monitoring/client.nix
#./deployment/modules/nginx/timmi.nix
#nix-deploy-git.nixosModule
#./deployment/modules/nix-deploy-git.nix
];
in
rec {
legacyPackages.${system} = (lib.mergeAttrs pkgs {
#nixos-deploy = import ./tools/deploy.nix { inherit pkgs; };
});
#defaultPackage.${system} = legacyPackages.${system}.nixos-deploy;
nixosConfigurations = {
beherbergung-lifeline = nixpkgs.lib.nixosSystem (lib.mergeAttrs commonAttrs {
modules = commonModules ++ [
./deployment/hosts/beherbergung-lifeline/configuration.nix
#./deployment/modules/nginx/timmi-public.nix
#./deployment/modules/binarycache/client.nix
#./deployment/modules/binarycache/server.nix
#./deployment/modules/monitoring/server.nix
];
});
};
};
}
Loading…
Cancel
Save